Security updates

The list below enumerates the Express vulnerabilities that were fixed in the specified version update.

4.x

• 4.21.2
  • The dependency path-to-regexp has been updated to address a vulnerability.
• 4.21.1
  • The dependency cookie has been updated to address a vulnerability, This may affect your application if you use res.cookie.
• 4.20.0
  • Fixed XSS vulnerability in res.redirect (advisory, CVE-2024-43796).
  • The dependency serve-static has been updated to address a vulnerability.
  • The dependency send has been updated to address a vulnerability.
  • The dependency path-to-regexp has been updated to address a vulnerability.
  • The dependency body-parser has been updated to addres a vulnerability, This may affect your application if you had url enconding activated.
• 4.19.0, 4.19.1
  • Fixed open redirect vulnerability in res.location and res.redirect (advisory, CVE-2024-29041).
• 4.17.3
  • The dependency qs has been updated to address a vulnerability. This may affect your application if the following APIs are used: req.query, req.body, req.param.
• 4.16.0
  • The dependency forwarded has been updated to address a vulnerability. This may affect your application if the following APIs are used: req.host, req.hostname, req.ip, req.ips, req.protocol.
  • The dependency mime has been updated to address a vulnerability, but this issue does not impact Express.
  • The dependency send has been updated to provide a protection against a Node.js 8.5.0 vulnerability. This only impacts running Express on the specific Node.js version 8.5.0.
• 4.15.5
  • The dependency debug has been updated to address a vulnerability, but this issue does not impact Express.
  • The dependency fresh has been updated to address a vulnerability. This will affect your application if the following APIs are used: express.static, req.fresh, res.json, res.jsonp, res.send, res.sendfile res.sendFile, res.sendStatus.
• 4.15.3
  • The dependency ms has been updated to address a vulnerability. This may affect your application if untrusted string input is passed to the maxAge option in the following APIs: express.static, res.sendfile, and res.sendFile.
• 4.15.2
  • The dependency qs has been updated to address a vulnerability, but this issue does not impact Express. Updating to 4.15.2 is a good practice, but not required to address the vulnerability.
• 4.11.1
  • Fixed root path disclosure vulnerability in express.static, res.sendfile, and res.sendFile
• 4.10.7
  • Fixed open redirect vulnerability in express.static (advisory, CVE-2015-1164).
• 4.8.8
  • Fixed directory traversal vulnerabilities in express.static (advisory , CVE-2014-6394).
• 4.8.4
  • Node.js 0.10 can leak fds in certain situations that affect express.static and res.sendfile. Malicious requests could cause fds to leak and eventually lead to EMFILE errors and server unresponsiveness.
• 4.8.0
  • Sparse arrays that have extremely high indexes in the query string could cause the process to run out of memory and crash the server.
  • Extremely nested query string objects could cause the process to block and make the server unresponsive temporarily.

3.x

• 3.19.1
  • Fixed root path disclosure vulnerability in express.static, res.sendfile, and res.sendFile
• 3.19.0
  • Fixed open redirect vulnerability in express.static (advisory, CVE-2015-1164).
• 3.16.10
  • Fixed directory traversal vulnerabilities in express.static.
• 3.16.6
  • Node.js 0.10 can leak fds in certain situations that affect express.static and res.sendfile. Malicious requests could cause fds to leak and eventually lead to EMFILE errors and server unresponsiveness.
• 3.16.0
  • Sparse arrays that have extremely high indexes in query string could cause the process to run out of memory and crash the server.
  • Extremely nested query string objects could cause the process to block and make the server unresponsive temporarily.
• 3.3.0
  • The 404 response of an unsupported method override attempt was susceptible to cross-site scripting attacks.